lumen-jwt | Lumen with JWT Authentication , Dingo API and CORS Support | Authentication library

Have you tried using this function?

JWTAuth::user();

Taking your two points.

1) You can make an token valid for only a single use, but using blacklist feature. This however isn't entirely necessary.

In my own project, I gave tokens a 5 minute expiry, but I also applied the jwt-refresh middleware to my authenticated routes (wrapped in a route group), so that a new token was returned with every request.

2) You can also specify a refresh expiry, which is the window during which an expired token can be authenticated. This is usually much longer than a token. I used 14 days.

Therefore, if a user leaves your website for 3 hours and comes back, their token will have expired. But your app should attempt to refresh that token in the background and then re-attempt the original request.

Give some thought to the obvious security implications of the respective token lifetimes. 5 minutes is a short window for abuse, but if an expired token can be refreshed for up to 14 days, that increases the risk, unless you're blacklisting it.

The codebase you use makes use of tymondesigns/jwt-auth package. The JWTAuth::attempt method by default makes use of email and password.

The simplest way would be to manually validate the user by the pincode and fetch the user object and generate token using for the user using JWTAuth::fromUser